This post is to announce the release of the following ColdFusion updates:

ColdFusion 2016 Update 4

ColdFusion 2016 Update 4 introduces support for Windows Server 2016, upgrades Tomcat to version 8.5.11.0 and fixes 115 bugs (including 52 external bugs) in areas such as Security, Language, Charting and Performance. This update also addresses vulnerabilities mentioned in the security bulletin APSB17-14. For details and instructions on how to apply this update refer this technote.

ColdFusion 11 Update 12

ColdFusion 11 Update 12 upgrades Tomcat to version 7.0.75. It also addresses vulnerabilities mentioned in the security bulletin APSB17-14 and fixes 59 bugs (including 28 external bugs) related to areas such as AJAX, Charting and Language. For details and instructions on how to apply this update refer this technote.

ColdFusion 10 Update 23

ColdFusion 10 Update 23 upgrades Tomcat version to 7.0.75. This update addresses vulnerabilities mentioned in the security bulletin APSB17-14 and includes a total of 17 bug fixes (including 7 external bugs) related to Language, Charting, Scheduler, Document Management and certain other areas. For details and instructions on how to apply this update refer this technote.

This post is to announce the release of the following ColdFusion updates:

ColdFusion 2016 Update 4

ColdFusion 2016 Update 4 upgrades Tomcat to version 8.5.11.0 and fixes 115 bugs (including 52 external bugs) in areas such as Security, Language, Charting and Performance. This update also addresses vulnerabilities mentioned in the security bulletin APSB17-14. For details and instructions on how to apply this update refer this technote.

ColdFusion 11 Update 12

ColdFusion 11 Update 12 upgrades Tomcat to version 7.0.75. It also addresses vulnerabilities mentioned in the security bulletin APSB17-14 and fixes 59 bugs (including 28 external bugs) related to areas such as AJAX, Charting and Language. For details and instructions on how to apply this update refer this technote.

ColdFusion 10 Update 23

ColdFusion 10 Update 23 upgrades Tomcat version to 7.0.75. This update addresses vulnerabilities mentioned in the security bulletin APSB17-14 and includes a total of 17 bug fixes (including 7 external bugs) related to Language, Charting, Scheduler, Document Management and certain other areas. For details and instructions on how to apply this update refer this technote.

The build number after applying thse updates should be:

2106,0,4,302561 for ColdFusion 2016;11,0,12,302575 for ColdFusion 11.10,0,23,302580 for ColdFusion 10.

Note:

Support for Windows Server 2016 will be introduced with the refreshed full ColdFusion 2016 server installer which will be made available shortly. Update: The new installer is now available, as of Apr 28.

The core support for ColdFusion 10 effectively ends on May 16, 2017. It will, therefore, receive no further updates. For detailed support timelines, see this EOL matrix.

If not, here’s possibly good news: I learned while working with someone else that there is indeed a fix for this problem, or at least it sounds exactly like your problem. See this Adobe bug report to confirm and especially for the available bugfix jar (which you would implement until Adobe comes out with the next major update to include it):

Charles, since you say the problem occurs “whenever” you “submit via ajax”, can you take a moment and create simple standalone example that demonstrates the problem? That’s always the best way to get a problem fixed, as then others (especially Adobe) can confirm seeing it and more readily then discern the exact internal problem.

It only needs to be one page (or two if you prefer) reflecting how you’re creating the ajax call, what you’re passing, and what should receive it. You can used fixed values rather than make it based on variable input.

It need not take more than several lines total and perhaps a few minutes to create, knowing what you do about your specific problem. Even if you may argue that you don’t want to apply update 4 to prove that it fails, any of us who have it could confirm for you if it does.

Of course, the best situation would be if you confirmed that your example worked on u3 and then failed on u4. Then if any of us couldn’t replicate the problem on u4, it would indicate something unique on your end (which may explain why we don’t hear of large-scale suffering of this). Or we may find that we can all demonstrate it, which should then help Adobe more quickly resolve it.

Or maybe they’ll write back saying that they are already aware of it. But they didn’t respond overnight, so it’s your call as to whether you really want to wait to hear from them or proceed with such a proof case.

I just installed it on 4 of our 5 Cf11 instances (all running on Server 2012 R2) using the CfAdmin gui with no problem.

The 5th machine always has issues when I use the CfAdmin giu so I do it manually using the instructions provide on the hotfix page (https://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-12.html). For some reason this update seems to break the ColdFusion Windows service so it will not start. There is no error in the Cf logs and the error in the Windows Application logs contains no info.

I made sure to check in Cf admin which java it was using (the install must use the same one as Cf). I navigated via CLI to that folder, stopped the Windows ColdFusion service, executed the hotfix file, and followed the install process. It says it completes successfully and a check of the install log shows no errors for anything (100% successful). When I go to start the Windows ColdFusion service it refuses to start. Running the uninstall via cli and removing the hotfix jar file resolves the issue so it is something with this hotfix. Cf may be able to start via the CLI but it needs to be running via the Windows Service.

@Charlie I do have 2 sites setup through IIS and double checked that it was calling the correct files and it was. I have not had time to call the code through the built in webserver but I did uninstall update 4, did not touch the connectors after the uninstall, and now my code works great again. So I am surprised no one else has had this issue on their site.

Matt,
In the code snippet you’ve shared it is not clear what “oDataProx” is.
Can you narrow the issue down to test code (something that can run outside the scope of your application) with which you can reproduce the issue.
If not, can you share details like the workflow you are following when you observe the error and the CFMs and CFCs that are pertinent to your workflow. You can mail it to me at pnayak@adobe.com

Thanks for providing the FATAL errors in the log. So, it’s clear from the errors that the server did not stop completely before the update was applied, hence it couldn’t backup the jar files.

Now, to make your main instance work, stop/kill all the CF process from Task Manager and try installing the update manually from command-line, using D:ColdFusion2016jrebinjava.exe -jar hf-updateshotfix-004-302561.jar, this should resolve the issue.

@Charlie once again I appreciate your time! I have done the updates in order and just to make sure tried the upgrade and also just removing and readding the connectors for the site I am using. I am getting the same issue. I did have more time and have figured out a little deeper what is going on. I have ruled out it being a Coldbox issue.

I setup my site running CF2016 and then CF10 and ran the same calls using the same codebase to both catching what is getting passed in the application.cfc “onCFCRequest” function. I just returned the arguments being passed into that method.

The arguments do not contain what is being passed in. The form data in the request Chrome network tab is identical.
So somewhere between the data being handled by CF and it invoking the CFC the arguments are being dropped. Strange.

As I mentioned it is across websites so I know it is not a code issue. Something got flipped or changed in the update that now is not playing nice with Coldbox proxy. When I call the URL that the proxy is calling from another tab, it works great. But run through CF it is giving me the parameter missing error. I will keep troubleshooting…just wondering if anyone else had this issue.

@Charlie, I did in fact read your article. it was helpful in pointing me to look in the right places for the log files and options to try to save the servers.

since my servers are virtual machines, and a full backup was done to them the day before
it was much easier for me to just roll them back to before the update was attempted.

my suggestion to Adobe is to get rid of the install update button in the CF admin.
even if it fails in a small percentage of cases, if there is a chance of trashing a server with it, then it doesn’t belong in the admin panel.

Can you share the update log file located at hf-updateshf-2016-00004-302561.
Can you let us know, what are the jars are present in update directory located at libupdates?
Did you restart the server manually to check, if the server is coming up? if not,can you try installing the update manually from command line, using Java -jar hf-updateshotfix-004-302561.jar and see if it works?

@Michael, I’ve updated five different CF2016 systems yesterday and today (dev, staging, and production) on multiple OSes including Win7, Win10, Win2012R2 server, MacOS, Ubuntu Linux AMI. I have not seen any issues with the update process for CF2016. There could be another issue that is causing a problem. If ColdFusion isn’t even starting make sure your Java install is still good. See previous comments about that and really read what Charlie wrote.

This was working before the update:
oDataProx.setForm(‘form2’);
oDataProx.setCallbackHandler(resultHandlerCanSup);
oDataProx.setHTTPMethod(‘POST’);
oDataProx.saveDataEntryCanSupProxy();

Now I get this error:
The FIRST_NAME parameter to the saveDataEntryCanSupProxy function is required but was not passed in.

And this is the params from chrome. the first_name is in the arguments.
method:saveDataEntryCanSupProxy
_cf_ajaxproxytoken:1A84CBE580F6C49DAFDFE549DDD4ABA344B9178FD67228338158CB09FFA29FB8
returnFormat:json
argumentCollection:{“typeAdd”:”Supervisor”,”first_name”:”asdf”,”last_name”:”asdfa”,”phone”:””,”email”:””,”formButton”:”Submit”}
_cf_nodebug:true
_cf_nocache:true
_cf_clientid:9BBD11A74E3C1216A93994EEC3DFAE38

And when I run just the URL to the proxy it works fine. So it has something to do with the reading of the arguments

Not sure if this is a Coldbox bug or CF2016. But the fact it started happening right when I updated makes me think it is the update. Anyone have any ideas or experiencing this? Thanks!

I am now restoring both of our CF 2016 servers after trying to install the CF2016 update 4 from earlier today. we clicked on the download and install button in the administrator (which usually works) and it trashed both of our machines.

here is the error message from the admin page (which crashes with an internal CF error)

The isAdminClientCertAuthEnabled method was not found.

Either there are no methods with the specified method name and argument types or the isAdminClientCertAuthEnabled method is overloaded with argument types that ColdFusion cannot decipher reliably. ColdFusion found 0 methods that match the provided arguments. If this is a Java object and you verified that the method exists, use the javacast function to reduce ambiguity.

The error occurred in Application.cfm: line 214
Called from Application.cfm: line 173
Called from Application.cfm: line 1

-1 : Unable to display error’s location in a CFML template.

stopping and starting the CF services doesn’t work, as the main service CF application refuses to start. I’ve been on hold for over an hour with adobe support waiting to talk to an engineer, so I think it is safe to say I am not the only person who is having problems.

Thank you for responding. I’ve sent you awn email with the information you requested. I’ve also tried the installs again per your request. The results thus far are as follows: I made sure the CF Admin updates page downloaded new jar files.

macOS: Failed same as before

Win7: “Failed” differently, but worked. The install appears to have put the install and uninstall files in the correct location. All CF11 services were stopped and eventually restarted. The Progress Information window in the CFAdmin never updated. Even after 15 minutes. I manually refreshed the CFAdmin page, logged back in and the update confirms it was installed.

Win10: “Failed” differently, but worked. The install appears to have put the install and uninstall files in the correct location. All CF11 services were stopped and eventually restarted. The Progress Information window in the CFAdmin never updated. Even after 15 minutes. I manually refreshed the CFAdmin page, logged back in and the update confirms it was installed.

Bernhard,
We’ve have made a change in our hosted resources. Can you please try running update 12 from the ColdFusion administrator again. Pls. clear your browser’s cache before attempting the update again.

Wil,
Can you please share the absolute path of your ColdFusion installation.
You’ve mentioned that “.coldfusion11hf-updates” gets created. Can you share the “hf-11-00012uninstallinstallvariables.properties” file with us. you can mail it to me at pnayak@adobe.com
In light of the change mentioned in my note for Bernhard above, can you also try the update process again.

@charlie You understand correctly. The only contents of c:coldfusion11 were the updates 11 and 12. It came into my mind the updater 11 had failed but I had not looked into the problem at that time. I simply installed the update via command line. The coldFusion administrator did download the updater jar file into the correct location on my d: drive. It was extracted into the wrong location.
I filed a finding some times ago: The version number of the installation is not correct. The build number is not increased: https://tracker.adobe.com/#/view/CF-4192428
The adobe people beleive this is an issue of a corrupt install.
When I installed the update on command line a UI popped up asking for the location. The input filed was preset to c:coldfusion11. I take it this is the default install location. I assume the configuration of my install somwhere deep down believes it resides in the default location on the c: drive.

@David: It’s not the Java install. Mine are intact. I never use the default system Java. I keep multiple and separate Java installs on my test systems for the purposes of testing.

@piyush: I already checked that’s why I posted a comment here.

More info. The Update 12 jar file downloads. It unpacks. The backup folders to rollback the update gets created in the wrong location. Now its created at .coldfusion11hf-updates instead of at .coldfusion11[instance name]hf-updates. The ever critical updates.xml file never get updated. With two instances running the CFUSION instance will be stopped and never restarted. The second instance never gets stopped. The install log shows the jar unpacked to the temp location, but the files are never copied to the ColdFusion folder.

@Charlie, the new installer is preconfigured with Update 3. One of the reasons was to maintain consistency in the installers across all platforms. More importantly, releasing the installer with Update 4 would have meant a delayed release for the new installers which we did not want since we know a lot of users are looking forward to these installers.

We had the same problem on our staging server. What caught my attention was that it said “error” in the progress bar as soon as I clicked it.

It turns out that someone had updated the Java client from 1.8.0_111 to 1.8.0_131 and that deletes the contents from the 111 directory. The CF server was still running because it had already loaded Java but anything that needed to invoke it again (like the download or installation of the hotfix) failed.

We stopped the CF Application service and updated the line in //cfsuion/bin/jvm.config to point to the new jvm location and started CF again. After that, it worked just fine.

I tried to install the Update via cfadmin and it did not work. I browsed my file system and found the installed update in folder
C:ColdFusion11cfusionhf-updateshf-11-00012
while my Coldfusion installation resides on drive d:

Wil,
First of all, please check to see if the update was installed successfully. You can check the update install log at /cfusion/hf-updates directory, for errors.
Did you try to start the cfusion instance manually, post update install?
Can you check the coldfusion start-up log (coldfusion-out.log) at /cfusion/logs/ for start-up related errors? Alternatively, you can start CF from the windows command console, by running the command: /cufison/bin/cfstart.bat. CF will log everything, including errors, upfront, in the console.